trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added Malcolm

Browse Source
This commit is contained in:
Trinitor
2021-08-06 10:35:01 +02:00
parent f043730066
commit 70f1922e80
751 changed files with 195277 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
Vagrant/resources/malcolm/zeek/config/extractor.zeek Normal file
View File

@@ -0,0 +1,47 @@
#!/usr/bin/env zeek
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
@load ./extractor_params
global extractor_extract_mode = (getenv("ZEEK_EXTRACTOR_MODE") == "") ? extractor_extract_known : getenv("ZEEK_EXTRACTOR_MODE");
global extractor_max_size = (getenv("EXTRACTED_FILE_MAX_BYTES") == "") ? extractor_max_size_default : to_count(getenv("EXTRACTED_FILE_MAX_BYTES"));
redef FileExtract::prefix = (getenv("ZEEK_EXTRACTOR_PATH") == "") ? "./extract_files/" : getenv("ZEEK_EXTRACTOR_PATH");
event file_sniff(f: fa_file, meta: fa_metadata) {
# extract all files OR
if ((extractor_extract_mode == extractor_extract_all) ||
# we don't know the mime type and we always want to extract unknowns OR
((! meta?$mime_type) && extractor_always_extract_unknown) ||
# we only want to extract knowns and we know the mime type OR
((extractor_extract_mode == extractor_extract_known) && meta?$mime_type) ||
# we only want to extract mime->extension mapped files, we know the mimetype, and the mime type is mapped
((extractor_extract_mode == extractor_extract_mapped) && meta?$mime_type && (meta$mime_type in extractor_mime_to_ext_map))) {
local ext: string = "";
if (! meta?$mime_type)
ext = extractor_mime_to_ext_map["default"];
else if (meta$mime_type in extractor_mime_to_ext_map)
ext = extractor_mime_to_ext_map[meta$mime_type];
else
ext = split_string(meta$mime_type, /\//)[1];
local ftime: time = 0.0;
if (! f?$last_active)
ftime = f$last_active;
else
ftime = network_time();
local uid: string = "unknown";
if (f?$conns)
# todo this is a little hacky, figure out how to do this better
for (cid in f$conns) {
uid = f$conns[cid]$uid;
break;
}
local fname = fmt("%s-%s-%s-%s.%s", f$source, f$id, uid, strftime("%Y%m%d%H%M%S", ftime), ext);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname, $extract_limit=extractor_max_size]);
}
}